Red Hat Bugzilla – Bug 811307
CUPS does not print when firewalld is running
Last modified: 2013-01-08 05:14:57 EST
Description of problem: If I try to print a document, it gets printed only when firewalld is not running. Is there documentation how the needed ports can be enabled in the new firewall? Actual results: Expected results: Additional info:
Can you attach an output from Printing troubleshooter when you try to print with firewalld running ? https://fedoraproject.org/wiki/Printing/Debugging#Printing_troubleshooter
Created attachment 915438 [details] Comment (This comment was longer than 65,535 characters and has been moved to an attachment by Red Hat Bugzilla).
Does that change anything when you edit /etc/firewalld/firewalld.conf, change DefaultZone=public to DefaultZone=internal or to DefaultZone=trusted, and run 'systemctl restart firewalld.service' ?
DefaultZone=internal works DefaultZone=trusted works, too
Thanks, what about 'DefaultZone=work' ?
DefaultZone=work also works
I think it would be a nice thing, if it was possible to use a printer even in the default setup of the firewall, or to configure it automatically, when a printer is added.
I changed my default zone to 'work', that works. How can I enable the port 25565 permanently?
So, I tried it myself by looking at the files in /usr/lib/firewalld and /etc/firewalld. First I created a new file /etc/firewalld/services/minecraft.xml that defines tcp port 25565. Second I copied internal.xml to /etc/firewalld/zones/cb.xml, added the service 'minecraft' there and changed the default zone to 'cb'. So far that seems to work. Is there a way to do something like this with less manual work or is that just the way to do it?
(In reply to comment #11) > Is there a way to do something like this with less manual work or is that > just the way to do it? Brilliant! That's indeed the way. There will finally be a documentation to this in the next firewalld release, but you don't need it anymore :) We don't have a GUI (firewall-config) yet so this is really the only way to do it at the moment.
One last question, is there some kind of inheritance regarded the files in /etc/firewalld and /usr/lib/firewalld are is copying from /usr/lib/firewalld to /etc/firewalld always necessary? Thanks!
No, there is no inheritance. The files in /usr/lib/firewalld are overloaded by the files in /etc/firewalld. Only immutable zones can not be overloaded. You should copy the files over to /etc/firewalld that you want to modify.
Closing. The way how to permanently allow a service or add a port is described in man pages shipped with firewalld-0.2.5-1.fc17. https://admin.fedoraproject.org/updates/firewalld-0.2.5-1.fc17
The gnome printer config tricks the user into installing firewalld, which has no configuration program yet. Attempting to start the old firewall configuration program tells you to start firewall-config, which does not yet exist in F17. Attempting to print will show the print job forever stuck in the print queue because firewalld does not open the necessary port. As a user, you are supposed to understand somehow that the problem is with the firewall, and fix it by reading firewalld's man page and knowing somehow which port/service you need opened. User-friendliness at its absolutely worst. I suggest you fix this problem at its root by removing gnome printer config until it works with the rest of your software stack.